Why would cybercriminals target nonprofit organizations—entities dedicated to doing good? According to Alex Brown, Director of Cybersecurity Solutions at Richey May, the answer is both chilling and practical: “Hackers are heartless,” he says. “They just want the information or funds or whatever they can get.”
In this eye-opening episode, host Julia Patrick and Alex explore the intersection of digital vulnerability and mission-driven work. Nonprofits may not seem like lucrative targets, but they often possess exactly what bad actors seek: valuable donor data, low cybersecurity maturity, and outdated assumptions about their exposure to risk.
Alex breaks down how modern cyberattacks no longer rely solely on high-dollar ransoms. Instead, sensitive donor data—especially involving high-net-worth individuals—can be easily sold on the dark web. What makes nonprofits especially attractive is not just the value of the data but the relative ease of access. “The corner store is a lot easier to take things from than your bank,” Alex notes, comparing nonprofit vulnerabilities to the path of least resistance.
AI has accelerated this threat. With the rise of tools like ransomware-as-a-service, cybercriminals now use bots to scan for weaknesses and deliver targets without lifting a finger. While nonprofit teams may be using AI for grant writing, hackers are using it to scale attacks with terrifying efficiency.
The conversation also confronts the false sense of security nonprofits place in cloud-based platforms. Many believe these tools handle all aspects of protection. In reality, the shared responsibility model places the onus on organizations to control user access, manage passwords, and train staff to identify suspicious activity. “It’s secure while it’s in the cloud—but who accesses that cloud is your responsibility,” says Alex.
From scam trends that leverage urgency psychology to long-term breaches that go undetected for months, the threats are evolving. But so can the response. Alex introduces the concept of a cybersecurity roadmap—a phased approach that focuses on policy, technical controls, incident response, and employee education. Remote work, he warns, adds new dimensions to the threat landscape if employee devices and networks aren’t properly secured.
This isn’t a “one-and-done” initiative—it’s a mindset. “You don’t do cybersecurity this year,” says Alex. “You do it forever.”
#CyberSecurityForNonprofits #AIandDataProtection #DonorDataRisk